Major Cyber Insurance Overhaul Begins Now
Major Cyber Insurance Overhaul Begins Now
From Lloyd’s of London to the new National Cybersecurity Strategy, the future of cyber insurance is evolving fast. What do you need to watch?
April 09, 2023 • Dan Lohrmann
hands on a keyboard overlaid with 0s and 1s
Shutterstock/PabloLagarto
One thing is clear about cyber insurance in the spring of 2023: The status quo is not sustainable.
And now, Lloyd’s of London, a major player in the global insurance market, is calling for dramatic changes in the cyber insurance market. According to The Financial Times (FT), “From next month, Lloyd’s will require the dozens of insurers that operate in the market to include exemptions that would prevent policies paying out if a major attack is judged to be ‘state-backed.’
“Exclusions for acts of war have long been a staple of policies ranging from property to motor, shielding insurers from the potentially crippling claims that a physical conflict generates. But Lloyd’s, a powerhouse in the global industry, believes war exclusions need updating for the Internet age, when cyber warfare can be government sponsored even in the absence of conventional conflict. Failure to exclude significant state-backed attacks from policies would leave insurers exposed to 'systemic risk,' Lloyd’s said when it first announced the plan last summer.”
The article goes on to point out that Fitch Ratings forecasts the total spend on cybersecurity policies globally could reach $22.5 billion by 2025 — up from $10 billion globally in 2022.
According to Tech Monitor, Lloyd's of London's controversial clause has caused consternation for many in the insurance industry as they rush to abide by the deadline: “The cyber war exclusion clause was announced in August of last year and recommends that standalone cybersecurity policies exclude coverage of attacks implemented by state-sponsored cyber criminals. Written by Lloyd’s underwriting director Tony Chaudhry, the clause is expected to add clarity to an unclear field that can lead to billions of pounds worth of risk.
“The requirements set out here take effect from 31 March 2023 at the inception or on renewal of each policy,” reads the bulletin. “There is no requirement to endorse existing, in-force policies, unless the expiry date is more than 12 months from 31 March 2023. Managing agents will nevertheless wish to start at an early stage to determine their approach to adopting appropriate exclusion clauses.”
WHO TO BLAME?
There are several excellent articles on the challenges of attribution regarding cyber attacks, and these new cyber insurance clauses leave many questions unanswered that may ultimately be decided by the courts.
At the heart of this matter are questions that we have been debating for many years such as:
How do you define "cyber war"?
How can attribution be truly known for cyber attacks?
Who will be the deciding organization when disagreements arise?
I like this article at Marsh.com on moving toward clarity on some of these topics. Here's an excerpt:
"In the spirit of transparency, we share here a high-level summary of themes explored through our work with Munich Re, including that:
The endorsement should not serve as a catastrophic risk catchall.
The endorsement should clarify the scope of coverage provided resulting from state-backed cyber attacks.
The endorsement should bring clarity to what constitutes war, and avoid conflation with the concept of a cyber operation.
The introduction of new concepts like 'cyber operations,' 'major detrimental impact,' 'impacted state,' and 'essential services' should be as clear and unambiguous as possible in order to avoid or minimize disputes as to the meaning of the wording.
The inclusion of references to attribution of cyber operations should not change the legal burden of proof, nor should it alter how the policy responds. Attribution of cyber operations to a sovereign state should not automatically trigger an exclusion of coverage.
The endorsement should clearly delineate between cyber attacks that constitute or are deployed as part of an ongoing war — and thus are beyond the scope of coverage — and cyber attacks that are not related to a war and so should not be inadvertently excluded."
I also like this cyber insurance case law history article and analysis at Law.com, and highlight the last two paragraphs here: “The summary review of recent case law discussed here, and comparison to earlier law makes it clear that the basic rubrics of contract law continue to guide the courts in their interpretation of cybersecurity insurance. Although it is well established that the new digital world has ushered in the burgeoning growth of cyber crime, and it is well advised to obtain coverage for anticipated cybersecurity events, the insured must be on alert as insurance policies will be contoured by insurers to limit their exposure.
“The relevant provisions of the policy must be scrutinized by the insured so as to assure that the policy will provide the broadest protection against a fraudster’s creative and ingenious schemes that may befuddle the staff of the insured and may lead to significant fraudulent transfers and losses.”
NEW U.S. NATIONAL STRATEGY AND CYBER INSURANCE
And if you think this topic can get no more complex, think again. As I identified in a recent blog on the new National Cybersecurity Strategy, cyber insurance is a major topic of discussion in the U.S. federal government.
This Forbes article (contributed by Forrester) does a nice job of summarizing the many strategic objectives in the strategy at a high level and is worth reading. Here is what they say about objective 3.6 under cyber insurance:
“Cyber insurance is one component of a multilayered cybersecurity and risk management strategy. Today’s environment of systemic risks stemming from global events, geopolitical threats and third-party risk events has a cascading impact on and across organizations — and the cyber insurance market. The call for a federal response to support the existing cyber insurance market is welcomed. This kind of subsidization, however, could be costly to the government, much like individual flood insurance. If exploration moves to enactment, reforms will likely be needed in the future. Meanwhile, organizations must address the current reality of cyber insurance market dynamics and increasingly stringent requirements for obtaining cyber insurance policies.”
Many are calling for the federal government to become the insurer of last resort for cyber insurance; however, that would require an act of Congress and seems unlikely in the short term.
WHAT CAN ORGANIZATIONS DO NOW?
In an Eversheds-Sutherland Legal Alert, the following advice was given to cybersecurity policyholders in the current environment:
“It remains to be seen the extent to which Lloyd's decision to exclude state-backed cyber attacks from standard cyber insurance policies will be mimicked by other insurance providers. However, Marsh Insurance initially published a critique of the exclusion requirement shortly after it was published, then softened its stance and suggested its own exclusion language some weeks later, perhaps indicating the direction of travel. From the insurance industry’s perspective, it is possible that some of the risk of state-backed attacks are shared with the public sector, as happens with other risks such as terrorism and the pandemic, and this is something which has already been called for by certain insurers.
“But, in this new environment, organizations may want to:
Pay particular attention to how terms like 'cyber operation' are defined, and how attribution will be determined in cases of suspected state-backed cyber attacks;
Scour definitions integral to policy coverage, such 'software systems,' 'networks' and 'equipment,' to ensure appropriate coverage, including when attacks impact third-party applications, vendors, virtual networks and cloud services;
Verify the extent to which insurance company pre-approval is required, including in the heat of a crippling attack; and
Confirm they have robust and tested breach response plans in place, aligned with insurers, and that insurers have pre-approved the companies’ preferred outside counsel (not just panel counsel), forensic providers and crisis communicators."
Davis Hake is the co-founder and vice president of communications and policy at Resilience Insurance. He offered this advice in his LinkedIn blog called Resilience:
“In advance of this discussion, however, there is more the insurance industry can do today to reduce the impact of these types of risks on clients and capacity providers.
First, regularly scan and warn all clients about critical vulnerabilities being exploited and have actionable mitigations. When Log4Shell was discovered, the Resilience Security team immediately checked all its clients and followed up directly with remediation actions. If there is a highly “contagious” vulnerability, we will ensure we are a part of the immune system response.
Second, leverage data-driven frameworks like the NIST Cybersecurity Framework and CIS Critical Controls as a part of underwriting and guidance to clients. Resilience leverages these tools in our modeling to ensure that our clients and capital placement follow the most up-to-date guidance on cyber hygiene.
Finally, use data tools to understand and model your portfolio risk. This has been a long-term goal for Resilience to help provide visibility to capital providers on sources of systemic risk. This drives proactive mitigations into our client base through guidance and policy language when we see trends that could lead to massive systemic-level losses.”
FINAL THOUGHTS
When I posted the FT.com article that I began this blog with on my LinkedIn page on Saturday, April 1, the responses came flooding in from all over the world.
If your read those comments and feedback on cyber insurance, you will see that perspectives are all over the map. But to sum up a widely held view, look at this comment from Niko Marjomaa, who works in Cybersecurity in Transaction Strategy and Execution at EY-Parthenon:
“Expected. There are so many companies already insured that should have never gotten one because of lacking investments and emphasis on cybersecurity. Also, recent court case decisions on liability have not been favorable to insurers. It was a matter of time, but the key question is: Where will they draw the line between state-sponsored and non-state sponsored because in case of China and Russia the line is very thin."
From Lloyd’s of London to the new National Cybersecurity Strategy, the future of cyber insurance is evolving fast. What do you need to watch?
April 09, 2023 • Dan Lohrmann
hands on a keyboard overlaid with 0s and 1s
Shutterstock/PabloLagarto
One thing is clear about cyber insurance in the spring of 2023: The status quo is not sustainable.
And now, Lloyd’s of London, a major player in the global insurance market, is calling for dramatic changes in the cyber insurance market. According to The Financial Times (FT), “From next month, Lloyd’s will require the dozens of insurers that operate in the market to include exemptions that would prevent policies paying out if a major attack is judged to be ‘state-backed.’
“Exclusions for acts of war have long been a staple of policies ranging from property to motor, shielding insurers from the potentially crippling claims that a physical conflict generates. But Lloyd’s, a powerhouse in the global industry, believes war exclusions need updating for the Internet age, when cyber warfare can be government sponsored even in the absence of conventional conflict. Failure to exclude significant state-backed attacks from policies would leave insurers exposed to 'systemic risk,' Lloyd’s said when it first announced the plan last summer.”
The article goes on to point out that Fitch Ratings forecasts the total spend on cybersecurity policies globally could reach $22.5 billion by 2025 — up from $10 billion globally in 2022.
According to Tech Monitor, Lloyd's of London's controversial clause has caused consternation for many in the insurance industry as they rush to abide by the deadline: “The cyber war exclusion clause was announced in August of last year and recommends that standalone cybersecurity policies exclude coverage of attacks implemented by state-sponsored cyber criminals. Written by Lloyd’s underwriting director Tony Chaudhry, the clause is expected to add clarity to an unclear field that can lead to billions of pounds worth of risk.
“The requirements set out here take effect from 31 March 2023 at the inception or on renewal of each policy,” reads the bulletin. “There is no requirement to endorse existing, in-force policies, unless the expiry date is more than 12 months from 31 March 2023. Managing agents will nevertheless wish to start at an early stage to determine their approach to adopting appropriate exclusion clauses.”
WHO TO BLAME?
There are several excellent articles on the challenges of attribution regarding cyber attacks, and these new cyber insurance clauses leave many questions unanswered that may ultimately be decided by the courts.
At the heart of this matter are questions that we have been debating for many years such as:
How do you define "cyber war"?
How can attribution be truly known for cyber attacks?
Who will be the deciding organization when disagreements arise?
I like this article at Marsh.com on moving toward clarity on some of these topics. Here's an excerpt:
"In the spirit of transparency, we share here a high-level summary of themes explored through our work with Munich Re, including that:
The endorsement should not serve as a catastrophic risk catchall.
The endorsement should clarify the scope of coverage provided resulting from state-backed cyber attacks.
The endorsement should bring clarity to what constitutes war, and avoid conflation with the concept of a cyber operation.
The introduction of new concepts like 'cyber operations,' 'major detrimental impact,' 'impacted state,' and 'essential services' should be as clear and unambiguous as possible in order to avoid or minimize disputes as to the meaning of the wording.
The inclusion of references to attribution of cyber operations should not change the legal burden of proof, nor should it alter how the policy responds. Attribution of cyber operations to a sovereign state should not automatically trigger an exclusion of coverage.
The endorsement should clearly delineate between cyber attacks that constitute or are deployed as part of an ongoing war — and thus are beyond the scope of coverage — and cyber attacks that are not related to a war and so should not be inadvertently excluded."
I also like this cyber insurance case law history article and analysis at Law.com, and highlight the last two paragraphs here: “The summary review of recent case law discussed here, and comparison to earlier law makes it clear that the basic rubrics of contract law continue to guide the courts in their interpretation of cybersecurity insurance. Although it is well established that the new digital world has ushered in the burgeoning growth of cyber crime, and it is well advised to obtain coverage for anticipated cybersecurity events, the insured must be on alert as insurance policies will be contoured by insurers to limit their exposure.
“The relevant provisions of the policy must be scrutinized by the insured so as to assure that the policy will provide the broadest protection against a fraudster’s creative and ingenious schemes that may befuddle the staff of the insured and may lead to significant fraudulent transfers and losses.”
NEW U.S. NATIONAL STRATEGY AND CYBER INSURANCE
And if you think this topic can get no more complex, think again. As I identified in a recent blog on the new National Cybersecurity Strategy, cyber insurance is a major topic of discussion in the U.S. federal government.
This Forbes article (contributed by Forrester) does a nice job of summarizing the many strategic objectives in the strategy at a high level and is worth reading. Here is what they say about objective 3.6 under cyber insurance:
“Cyber insurance is one component of a multilayered cybersecurity and risk management strategy. Today’s environment of systemic risks stemming from global events, geopolitical threats and third-party risk events has a cascading impact on and across organizations — and the cyber insurance market. The call for a federal response to support the existing cyber insurance market is welcomed. This kind of subsidization, however, could be costly to the government, much like individual flood insurance. If exploration moves to enactment, reforms will likely be needed in the future. Meanwhile, organizations must address the current reality of cyber insurance market dynamics and increasingly stringent requirements for obtaining cyber insurance policies.”
Many are calling for the federal government to become the insurer of last resort for cyber insurance; however, that would require an act of Congress and seems unlikely in the short term.
WHAT CAN ORGANIZATIONS DO NOW?
In an Eversheds-Sutherland Legal Alert, the following advice was given to cybersecurity policyholders in the current environment:
“It remains to be seen the extent to which Lloyd's decision to exclude state-backed cyber attacks from standard cyber insurance policies will be mimicked by other insurance providers. However, Marsh Insurance initially published a critique of the exclusion requirement shortly after it was published, then softened its stance and suggested its own exclusion language some weeks later, perhaps indicating the direction of travel. From the insurance industry’s perspective, it is possible that some of the risk of state-backed attacks are shared with the public sector, as happens with other risks such as terrorism and the pandemic, and this is something which has already been called for by certain insurers.
“But, in this new environment, organizations may want to:
Pay particular attention to how terms like 'cyber operation' are defined, and how attribution will be determined in cases of suspected state-backed cyber attacks;
Scour definitions integral to policy coverage, such 'software systems,' 'networks' and 'equipment,' to ensure appropriate coverage, including when attacks impact third-party applications, vendors, virtual networks and cloud services;
Verify the extent to which insurance company pre-approval is required, including in the heat of a crippling attack; and
Confirm they have robust and tested breach response plans in place, aligned with insurers, and that insurers have pre-approved the companies’ preferred outside counsel (not just panel counsel), forensic providers and crisis communicators."
Davis Hake is the co-founder and vice president of communications and policy at Resilience Insurance. He offered this advice in his LinkedIn blog called Resilience:
“In advance of this discussion, however, there is more the insurance industry can do today to reduce the impact of these types of risks on clients and capacity providers.
First, regularly scan and warn all clients about critical vulnerabilities being exploited and have actionable mitigations. When Log4Shell was discovered, the Resilience Security team immediately checked all its clients and followed up directly with remediation actions. If there is a highly “contagious” vulnerability, we will ensure we are a part of the immune system response.
Second, leverage data-driven frameworks like the NIST Cybersecurity Framework and CIS Critical Controls as a part of underwriting and guidance to clients. Resilience leverages these tools in our modeling to ensure that our clients and capital placement follow the most up-to-date guidance on cyber hygiene.
Finally, use data tools to understand and model your portfolio risk. This has been a long-term goal for Resilience to help provide visibility to capital providers on sources of systemic risk. This drives proactive mitigations into our client base through guidance and policy language when we see trends that could lead to massive systemic-level losses.”
FINAL THOUGHTS
When I posted the FT.com article that I began this blog with on my LinkedIn page on Saturday, April 1, the responses came flooding in from all over the world.
If your read those comments and feedback on cyber insurance, you will see that perspectives are all over the map. But to sum up a widely held view, look at this comment from Niko Marjomaa, who works in Cybersecurity in Transaction Strategy and Execution at EY-Parthenon:
“Expected. There are so many companies already insured that should have never gotten one because of lacking investments and emphasis on cybersecurity. Also, recent court case decisions on liability have not been favorable to insurers. It was a matter of time, but the key question is: Where will they draw the line between state-sponsored and non-state sponsored because in case of China and Russia the line is very thin."